As part of FileVault on Apple File System, Apple introduced a new account attribute called Secure Token. Secure Token can present some interesting complications for Mac admins and among them is this scenario:
“The laptop is decrypted, but we can’t re-enable FileVault now.”
Usually, this happens because the account password was changed outside of the Users & Groups preference pane in System Preferences and now Secure Token and the account password are out of sync with each other.
Up until today, the only fix I knew of for that situation was to back up the data and wipe the drive. However, it looks like there is a workaround that fixes the password problem and sorts out the Secure Token attribute for the account on a decrypted laptop. For more details, please see below the jump.
To fix the account, the resetFileVaultpassword tool needs to be run from macOS Recovery. To access this tool, use the following procedure:
2. Under the Utilities menu, select Terminal.
3. In Terminal, enter the following command and hit Enter.
resetFileVaultpassword
This will launch a Reset Password window behind the Terminal window.
If you just have one account on the Mac (which is likely if you find yourself in this scenario) the account should automatically be selected.
4. Enter a new password and verify it, then click the Next button.
5. When prompted, click the Restart button.
As part of the password reset process, the resetFileVaultpassword tool also resyncs the Secure Token attribute for the account. That should allow FileVault to work normally again.
Note: If you have multiple accounts on this Mac, the Reset Password tool requires all accounts’ passwords to be changed.
Following the reboot, you should now be able to enable FileVault on this Mac.
Thanks to the folks in the #security channel in the MacAdmins Slack for identifying and testing this workaround.